1. Establish the Context

Risk Management Framework

Establishing the context defines the scope for the risk management process and sets the criteria against which the risks will be assessed. The scope should be determined within the context of the firm's organisational objectives. Risks are uncertainties that affect the achievement of business objectives, so risks cannot fully be identified if these objectives and strategies are unclear.

The selection of key objectives within the business should be driven by an evaluation of the external and internal factors that may currently impact the firm. A review of both the external and internal context at the commencement of the risk assessment planning assists in identifying the processes which may be subject to increased risks and, as such, would derive the greatest value from the risk assessment.

Risks can arise due to external or internal influences:

  • External risks are exposures that result from environmental conditions that the firm commonly cannot influence, such as the regulatory environment and market conditions.
  • Internal risks are exposures that derive from decision-making and the use of internal and external resources, including the firm's operations and its objectives.

Establish the external context

The external context is the environment in which the firm operates and seeks to achieve its objectives. Consideration should be given to the following inputs as they relate to the business, social, regulatory, legislative, cultural, competitive, financial, and political environment, including:

  • Strengths, weaknesses, opportunities and threats
  • Relationships with, perceptions and values of, external stakeholders such as clients.

Establish the internal context

The internal context is the internal environment in which the firm functions and seeks to achieve its objectives. Consideration should be given to factors such as:

  • Objectives and strategies in place to achieve objectives
  • Governance, structure, roles and accountabilities
  • Capability of people, systems and processes
  • Changes to processes or compliance obligations
  • The risk tolerance and appetite of the firm.


The output of this stage in the risk management process sets the scope for the risk assessment in terms of external and internal influences.


APES 325 requires that the following key organisational risks be considered within the context of the internal and external environment and taking into account internal and external stakeholders:

  • Governance
  • Business continuity, including succession planning
  • Business
  • Financial
  • Regulatory
  • Technology
  • Human resources
  • Stakeholder.

Business objectives

List the practice objectives for the firm and consider the key processes used in the operation of the business.

Assess the strengths, weaknesses, opportunities and threats that exist and how these may influence the firm achieving its objectives. Also consider the stakeholders who may be impacted.

By establishing the context, the firm articulates its objectives and defines the external and internal parameters to be taken into account when managing risk, and sets the scope and risk criteria for the remaining process.

AS/NZS ISO 31000:2009